Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Multimedia)  >   Adobe Flash Player Vendors:   Macromedia
Macromedia Flash Content May Facilitate Cross-Site Scripting Via the 'clickTAG'
SecurityTracker Alert ID:  1006563
SecurityTracker URL:
CVE Reference:   CVE-2003-0208   (Links to External Site)
Updated:  Apr 4 2004
Original Entry Date:  Apr 14 2003
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   A vulnerability was reported in various Macromedia Flash applications (not in the player itself). A malicious web page could cause Flash content to execute arbitrary scripting code.

SecuriTeam announced a Scan Security Wire report of a vulnerability in some Macromedia Flash applications.

As a feature of Flash, an advertising network can supply a 'clickTAG' tracking code to a Flash-based advertisement. The Flash player itself does not validate the clickTAG, so Flash-based application content must perform the validation.

A remote user can reportedly create a malicious HTML page and feed a specially crafted clickTAG value to some Flash content (located on an arbitrary site). If the Flash-based content's ActionScript code calls the getURL function with the specially crafted JavaScript-based URL, arbitrary scripting code could be executed in the context of the Flash content's security domain. As a result, the code will be able to access the target user's cookies (including authentication cookies), if any, associated with the site serving the Flash content, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.

Impact:   A remote user can access the target user's cookies (including authentication cookies), if any, associated with the site hosting the vulnerable Flash content, access data recently submitted by the target user via web form to the site, or take actions on the site acting as the target user.
Solution:   The vendor states that a new player version is not required, as this is a vulnerability in some Flash content and not in the player.

The vendor advises that Macromedia Flash advertisements that accept clickTAGs must be written to validate the input. In particular, the vendor recommends that the clickTAG URL begins with the string "http:".

For more information from the vendor, see their advisory at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [NEWS] Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site:
- - promotion

In the US?

Contact Beyond Security at our new California office
housewarming rates on automated network vulnerability
scanning. We also welcome ISPs and other resellers!

Please contact us at: 323-882-8286 or
- - - - - - - - -

  Misuse of Macromedia Flash Ads clickTAG Option May Lead to Privacy Breach


"Over 497 million Internet users now use Macromedia Flash Player to 
seamlessly view content created with Macromedia Flash, the solution for 
developing rich Internet content and applications."

A vulnerability discovered in Macromedia Flash ad user tracking field 
allows a remote user to perform Cross-Site-Scripting attacks and retrieve 
session information. 


About the 'clickTAG' option:

Macromedia flash supplies user-tracking field to swf (flash movies) ads:
"The clickTAG is the tracking code assigned by the ad serving network to 
an individual ad. The clickTAG allows the network to register where the ad 
was displayed when it was clicked on. This click through data is reported 
to the ad serving servers so advertisers may determine the effectiveness 
of their campaign. 

The code below will allow ad serving networks to dynamically assign a 
clickTAG to their ad. 

In this example, a getURL action is being assigned to a button that will 
navigate the browser to ["clickTAG"]. The "getURL(clickTAG)" statement 
appends the variable data passed in via the OBJECT EMBED tag and navigates 
the browser to that location. It is the tracking code assigned by the ad 
serving network, which allows them to register a user's click on that 

<EMBED src="ad_banner_example.swf?clickTAG=" >   ..."

The information was taken from Macromedia designer's guide:

Vulnerability details:

Vulnerability in the clickTAG field enables a remote user to run malicious 
javascript code in the context of the remote web site, and therefore 
retrieve session information and possibly other sensitive information.
For example in the following script:
("XXXX" = arbitrary script or tag)

Replacing "XXXX" with a script to steal cookies will enable an attacker to 
perform session hijacking if the session is saved in the cookie, or to 
gain the private information present in ad tracking cookies.


"A new player version is NOT required. Macromedia Flash advertisements 
that accept clickTAGs need to validate that the clickTAG URL begins with 
"http:". This helps ensure the clickTAG does not contain malicious code."
Quote from the official Macromedia security advisory.

We recommend that all user input should be filtered for malicious code and 
characters and never trusted "as-is".

Vendor status:
We would like to thank Macromedia for its prompt response and cooperation 
for solving this issue.
Macromedia quickly acted to notify possibly affected sites and has 
released an official security announcement, which can be found at:

Macromedia has also revised the Designer's Guide and added this note:
"Note: The ActionScript in this Flash advertisement is verifying that the 
clickTAG URL begins with "http:". This is an important security measure. 
If you do not take this precaution, a malicious HTML page could source 
your SWF and pass a clickTAG URL that begins with "javascript:" or another 
scripting pseudo-protocol. If your ActionScript code were to call getURL 
with a maliciously crafted JavaScript URL, it would be possible for the 
site serving the malicious HTML page to obtain the contents of your HTTP 
cookies or perform other actions on your site's behalf."


The vulnerability was reported by Scan Security Wire  


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
In order to subscribe to the mailing list, simply forward this email to: 


The information in this bulletin is provided "AS IS" without warranty of any kind. 
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business
 profits or special damages. 


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, LLC